Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration … · CHAPTER 9 ConfiguringMSTUsingCiscoNX-OS 137 FindingFeatureInformation 137 InformationAboutMST 137 MSTOverview

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration GuideFirst Published: 2016-12-24

Last Modified: 2018-07-26

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000

800 553-NETS (6387)Fax: 408 527-0883

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version ofthe UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHERWARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1721R)

© 2016–2018 Cisco Systems, Inc. All rights reserved.

https://www.cisco.com/c/en/us/about/legal/trademarks.html

C O N T E N T S

Preface xiiiP R E F A C E

Preface xiii

Audience xiii

Document Conventions xiii

Related Documentation xiv

Documentation Feedback xv

Communications, Services, and Additional Information xv

New and Changed Information 1C H A P T E R 1

New and Changed Information 1

Overview 3C H A P T E R 2

Licensing Requirements 3

Layer 2 Ethernet Switching Overview 3

VLANs 4

Private VLANs 4

Spanning Tree 4

STP Overview 4

Rapid PVST+ 5

MST 5

STP Extensions 5

Virtualization 6

Related Topics 6

Configuring Layer 2 Switching 9C H A P T E R 3

Finding Feature Information 9

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guideiii

Information About Layer 2 Switching 9

Layer 2 Ethernet Switching Overview 10

Switching Frames Between Segments 10

Building the Address Table and Address Table Changes 10

Consistent MAC Address Tables on the Supervisor and on the Modules 11

Layer 3 Static MAC Addresses 11

High Availability for Switching 11

Virtualization Support for Layer 2 Switching 11

MAC Address Movement 12

Prerequisites for Configuring MAC Addresses 13

Guidelines and Limitations for Configuring MAC Addresses 13

Default Settings for Layer 2 Switching 14

Configuring Layer 2 Switching 14

Configuring a Static MAC Address 14

Configuring a Static MAC Address on a Layer 3 Interface 15

Configuring the Aging Time for the MAC Address Table 17

Configuring Learning Mode for VLANs 18

Enabling MAC Move Protection 19

Checking the Consistency of MAC Address Tables 20

Clearing Dynamic Addresses from the MAC Address Table 20

Verifying the Layer 2 Switching Configuration 21

Configuration Example for Layer 2 Switching 22

Additional References for Layer 2 Switching 22

Feature History for Configuring Layer 2 Switching 23

Configuring VLANs 25C H A P T E R 4


Information About VLANs 25

Understanding VLANs 26

VLAN Ranges 26

Creating, Deleting, and Modifying VLANs 27

High Availability for VLANs 27

Virtualization Support for VLANs 27

Prerequisites for Configuring VLANs 28

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guideiv

Contents

Guidelines and Limitations for Configuring VLANs 28

Default Settings for VLANs 28

Configuring a VLAN 29

Creating and Deleting a VLAN 29

Entering the VLAN Configuration Submode 31

Configuring a VLAN 32

Changing the Range of Reserved VLANs 34

Configuring a VLAN Before Creating the VLAN 35

Configuring VLAN Long-Name 36

Configuring VLAN Translation on a Trunk Port 37

Verifying the VLAN Configuration 39

Displaying and Clearing VLAN Statistics 39

Configuration Example for VLANs 40

Additional References for VLANs 40

Feature History for Configuring VLANs 41

Configuring MVRP 43C H A P T E R 5


Information About MVRP 43

Guidelines and Limitations for Configuring MVRP 44

Default Settings for MVRP 44

Configuring MVRP 45

Enabling MVRP 45

Modifying the MVRP Configuration on the Interface 45

Verifying the MVRP Configuration 47

Clearing MVRP Statistics 47

Feature History for Configuring MVRP 48

Configuring VTP 49C H A P T E R 6


Information About VTP 49

VTP 49

VTP Overview 50

VTP Modes 50

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidev

Contents

VTP Per Interface 51

VTP Pruning 51

VTP Pruning and Spanning Tree Protocol 51

VTPv3 52

Restrictions for Configuring the VLAN Trunking Protocol 52

Default Settings 52

Configuring VTP 53

Configuring VTP Pruning 56

Configuring Private VLANs Using NX-OS 57C H A P T E R 7


Information About Private VLANs 57

Private VLAN Overview 58

Primary and Secondary VLANs in Private VLANs 58

Private VLAN Ports 59

Primary, Isolated, and Community Private VLANs 60

Associating Primary and Secondary VLANs 61

Broadcast Traffic in Private VLANs 61

Private VLAN Port Isolation 62

Private VLANs and VLAN Interfaces 62

Private VLANs Across Multiple Devices 62

High Availability for Private VLANs 62

Virtualization Support for Private VLANs 63

PVLAN (Isolated) on FEX HIF (Cisco Nexus 7000 Parent) 63

Supported Topologies for Isolated PVLAN on FEX HIF 63

Prerequisites for Private VLANs 63

Guidelines and Limitations for Configuring Private VLANs 63

Secondary and Primary VLAN Configuration 64

Private VLAN Port Configuration 66

Limitations with Other Features 66

Default Settings for Private VLANs 67

Configuring a Private VLAN 67

Enabling Private VLANs 67

Configuring a VLAN as a Private VLAN 68

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidevi

Contents

Associating Secondary VLANs with a Primary Private VLAN 70

Mapping Secondary VLANs to the VLAN Interface of a Primary VLAN 72

Configuring a Layer 2 Interface as a Private VLAN Host Port 74

Configuring a Layer 2 Interface as a Private VLAN Isolated Trunk Port 75

Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port 79

Configuring a Layer 2 Interface as a Private VLAN Promiscuous Trunk Port 81

Configuring Isolated PVLANs on FEX HIF Ports 84

Disabling PVLAN on HIF Ports 84

Configuring PVLAN on FEX Isolated Ports 84

Configuring PVLAN on Trunk Secondary Port 85

Verifying PVLAN (Isolated) Configurations on FEX HIF 86

Verifying the Private VLAN Configuration 86

Displaying and Clearing Private VLAN Statistics 87

Configuration Examples for Private VLANs 87

Additional References for Private VLANs 88

Feature History for Configuring Private VLANs 89

Configuring Rapid PVST+ Using Cisco NX-OS 91C H A P T E R 8


Information About Rapid PVST+ 91

STP 92

Overview of STP 92

How a Topology is Created 92

Bridge ID 93

BPDUs 95

Election of the Root Bridge 95

Creating the Spanning Tree Topology 96

Rapid PVST+ 96

Overview of Rapid PVST+ 96

Rapid PVST+ BPDUs 98

Proposal and Agreement Handshake 98

Protocol Timers 99

Port Roles 100

Rapid PVST+ Port State Overview 100

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidevii

Contents

Synchronization of Port Roles 103

Detecting Unidirectional Link Failure:Rapid PVST+ 104

Port Cost 105

Port Priority 105

Rapid PVST+ and IEEE 802.1Q Trunks 106

Rapid PVST+ Interoperation with Legacy 802.1D STP 106

Rapid PVST+ Interoperation with 802.1s MST 107

High Availability for Rapid PVST+ 107

Virtualization Support for Rapid PVST+ 107

Prerequisites for Configuring Rapid PVST+ 107

Guidelines and Limitations for Configuring Rapid PVST+ 107

Default Settings for Rapid PVST+ 108

Configuring Rapid PVST+ 109

Guidelines for Configuring Rapid PVST+ 110

Enabling Rapid PVST+—CLI Version 110

Disabling or Enabling Rapid PVST+ Per VLAN—CLI Version 111

Configuring the Root Bridge ID 113

Configuring a Secondary Root Bridge—CLI Version 114

Configuring the Rapid PVST+ Bridge Priority of a VLAN 116

Configuring the Rapid PVST+ Port Priority—CLI Version 117

Configuring the Rapid PVST+ Path-Cost Method and Port Cost—CLI Version 118

Configuring the Rapid PVST+ Hello Time for a VLAN—CLI Version 120

Configuring the Rapid PVST+ Forward Delay Time for a VLAN—CLI Version 121

Configuring the Rapid PVST+ Maximum Age Time for a VLAN—CLI Version 122

Specifying the Link Type for Rapid PVST+—CLI Version 123

Reinitializing the Protocol for Rapid PVST+ 124

Verifying the Rapid PVST+ Configurations 125

Displaying and Clearing Rapid PVST+ Statistics—CLI Version 125

Rapid PVST+ Example Configurations 125

Additional References for Rapid PVST+—CLI Version 126

Feature History for Configuring Rapid PVST+—CLI Version 127

Configuring MST Using Cisco NX-OS 129C H A P T E R 9


Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guideviii

Contents

Information About MST 129

MST Overview 130

MST Regions 130

MST BPDUs 131

MST Configuration Information 131

IST, CIST, and CST 132

IST, CIST, and CST Overview 132

Spanning Tree Operation Within an MST Region 132

Spanning Tree Operations Between MST Regions 133

MST Terminology 133

Hop Count 134

Boundary Ports 134

Detecting Unidirectional Link Failure 134

Port Cost and Port Priority 135

Interoperability with IEEE 802.1D 135

High Availability for MST 136

Virtualization Support for MST 136

Prerequisites for MST 136

Guidelines and Limitations for Configuring MST 136

Default Settings for MST 138

Configuring MST 139

Enabling MST—CLI Version 139

Entering MST Configuration Mode 140

Specifying the MST Name 142

Specifying the MST Configuration Revision Number 143

Specifying the Configuration on an MST Region 145

Mapping or Unmapping a VLAN to an MST Instance—CLI Version 146

Mapping Secondary VLANs to Same MSTI as Primary VLANs for Private VLANs 149

Configuring the Root Bridge 150

Configuring an MST Secondary Root Bridge 152

Configuring the MST Switch Priority 154

Configuring the MST Port Priority 155

Configuring the MST Port Cost 157

Configuring the MST Hello Time 158

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guideix

Contents

Configuring the MST Forwarding-Delay Time 159

Configuring the MST Maximum-Aging Time 160

Configuring the MST Maximum-Hop Count 161

Configuring an Interface to Proactively Send Prestandard MSTP Messages—CLI Version 162

Specifying the Link Type for MST—CLI Version 163

Reinitializing the Protocol for MST 165

Verifying the MST Configuration 165

Displaying and Clearing MST Statistics—CLI Version 166

MST Example Configuration 166

Additional References for MST—CLI Version 168

Feature History for Configuring MST--CLI Version 168

Configuring STP Extensions Using Cisco NX-OS 171C H A P T E R 1 0


Information About STP Extensions 171

STP Port Types 172

STP Edge Ports 172

Bridge Assurance 172

BPDU Guard 173

BPDU Filtering 174

Loop Guard 175

Root Guard 175

Applying STP Extension Features 175

PVST Simulation 176

High Availability for STP 176

Virtualization Support for STP Extensions 176

Prerequisites for STP Extensions 176

Guidelines and Limitations for Configuring STP Extensions 177

Default Settings for STP Extensions 178

Configuring STP Extensions 178

Configuring Spanning Tree Port Types Globally 178

Configuring Spanning Tree Edge Ports on Specified Interfaces 180

Configuring Spanning Tree Network Ports on Specified Interfaces 181

Enabling BPDU Guard Globally 182

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidex

Contents

Enabling BPDU Guard on Specified Interfaces 183

Enabling BPDU Filtering Globally 185

Enabling BPDU Filtering on Specified Interfaces 186

Enabling Loop Guard Globally 187

Enabling Loop Guard or Root Guard on Specified Interfaces 188

Configuring PVST Simulation Globally—CLI Version 190

Configuring PVST Simulation Per Port 191

Verifying the STP Extension Configuration 192

Configuration Examples for STP Extension 192

Additional References for STP Extensions—CLI Version 193

Feature History for Configuring STP Extensions—CLI version 193

Configuration Limits for Layer 2 Switching 195A P P E N D I X A

Configuration Limits for Layer 2 Switching 195

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexi

Contents

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexii

Contents

Preface

The preface contains the following sections:

• Preface, on page xiii

PrefaceThis preface describes the audience, organization, and conventions of the Book Title. It also providesinformation on how to obtain related documentation.

This chapter includes the following topics:

AudienceThis publication is for experienced network administrators who configure and maintain Cisco NX-OS onCisco Nexus 7000 Series Platform switches.

Document Conventions

• As part of our constant endeavor to remodel our documents to meet our customers' requirements, wehave modified the manner in which we document configuration tasks. As a result of this, you may finda deviation in the style used to describe these tasks, with the newly included sections of the documentfollowing the new format.

• The Guidelines and Limitations section contains general guidelines and limitations that are applicableto all the features, and the feature-specific guidelines and limitations that are applicable only to thecorresponding feature.

Note

Command descriptions use the following conventions:

DescriptionConventionBold text indicates the commands and keywords that you enter literallyas shown.

bold

Italic text indicates arguments for which the user supplies the values.Italic

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexiii

DescriptionConvention

Square brackets enclose an optional element (keyword or argument).[x]

Square brackets enclosing keywords or arguments separated by a verticalbar indicate an optional choice.

[x | y]

Braces enclosing keywords or arguments separated by a vertical barindicate a required choice.

{x | y}

Nested set of square brackets or braces indicate optional or requiredchoices within optional or required elements. Braces and a vertical barwithin square brackets indicate a required choice within an optionalelement.

[x {y | z}]

Indicates a variable for which you supply values, in context where italicscannot be used.

variable

A nonquoted set of characters. Do not use quotation marks around thestring or the string will include the quotation marks.

string

Examples use the following conventions:

DescriptionConventionTerminal sessions and information the switch displays are in screen font.screen font

Information you must enter is in boldface screen font.boldface screen font

Arguments for which you supply values are in italic screen font.italic screen font

Nonprinting characters, such as passwords, are in angle brackets.< >

Default responses to system prompts are in square brackets.[ ]

An exclamation point (!) or a pound sign (#) at the beginning of a lineof code indicates a comment line.

!, #

This document uses the following conventions:

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.Note

Means reader be careful. In this situation, you might do something that could result in equipment damage orloss of data.

Caution

Related DocumentationDocumentation for Cisco Nexus 7000 Series Switches is available at:

• Configuration Guides

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexiv

PrefaceRelated Documentation

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.html

• Command Reference Guides

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-command-reference-list.html

• Release Notes

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-release-notes-list.html

• Install and Upgrade Guides

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-guides-list.html

• Licensing Guide

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-licensing-information-listing.html

Documentation for Cisco Nexus 7000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders isavailable at the following URL:

http://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/products-installation-and-configuration-guides-list.html

Documentation Feedback

Communications, Services, and Additional Information• To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.

• To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.

• To submit a service request, visit Cisco Support.

• To discover and browse secure, validated enterprise-class apps, products, solutions and services, visitCisco Marketplace.

• To obtain general networking, training, and certification titles, visit Cisco Press.

• To find warranty information for a specific product or product family, access Cisco Warranty Finder.

Cisco Bug Search Tool

Cisco Bug Search Tool (BST) is a web-based tool that acts as a gateway to the Cisco bug tracking systemthat maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. BST providesyou with detailed defect information about your products and software.

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexv

PrefaceDocumentation Feedback

http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-and-configuration-guides-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-command-reference-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-command-reference-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-release-notes-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-guides-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-installation-guides-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-licensing-information-listing.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/products-licensing-information-listing.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/products-installation-and-configuration-guides-list.htmlhttp://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/products-installation-and-configuration-guides-list.htmlhttps://www.cisco.com/offer/subscribehttps://www.cisco.com/go/serviceshttps://www.cisco.com/c/en/us/support/index.htmlhttps://www.cisco.com/go/marketplace/https://www.cisco.com/go/marketplace/http://www.ciscopress.comhttp://www.cisco-warrantyfinder.comhttps://www.cisco.com/c/en/us/support/web/tools/bst/bsthelp/index.html

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guidexvi

PrefaceCommunications, Services, and Additional Information

C H A P T E R 1New and Changed Information

• New and Changed Information, on page 1

New and Changed InformationThe table below summarizes the new and changed features for this document and shows the releases in whicheach feature is supported. Your software release might not support all the features in this document. For thelatest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and therelease notes for your software release.

This book does not contain any new feature for the Cisco NX-OS Release 8.0(1).

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Configuration Guide1

https://tools.cisco.com/bugsearch/


New and Changed InformationNew and Changed Information

C H A P T E R 2Overview

This chapter provides an overview of the Cisco NX-OS devices that support Layer 2 features.

This chapter includes the following sections:

• Licensing Requirements, on page 3• Layer 2 Ethernet Switching Overview, on page 3• VLANs, on page 4• Private VLANs, on page 4• Spanning Tree , on page 4• Virtualization, on page 6• Related Topics, on page 6

Licensing RequirementsFor a complete explanation of Cisco NX-OS licensing recommendations and how to obtain and apply licenses,see the Cisco NX-OS Licensing Guide.

Layer 2 Ethernet Switching OverviewThe device supports simultaneous, parallel connections between Layer 2 Ethernet segments. Switchedconnections between Ethernet segments last only for the duration of the packet. New connections can be madebetween different segments for the next packet.

The device solves congestion problems caused by high-bandwidth devices and a large number of users byassigning each device (for example, a server) to its own domain. Because each LAN port connects to a separateEthernet collision domain, servers in a switched environment achieve full access to the bandwidth.

Because collisions cause significant congestion in Ethernet networks, an effective solution is full-duplexcommunication. Typically, 10/100-Mbps Ethernet operates in half-duplex mode, which means that stationscan either receive or transmit. In full-duplex mode, which is configurable on these interfaces, two stationscan transmit and receive at the same time. When packets can flow in both directions simultaneously, theeffective Ethernet bandwidth doubles. 1/10-Gigabit Ethernet operates in full duplex only.


https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/nx-os/licensing/guide/b_Cisco_NX-OS_Licensing_Guide.html

VLANsA VLAN is a switched network that is logically segmented by function, project team, or application, withoutregard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you cangroup end stations even if they are not physically located on the same LAN segment.

Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded andflooded only to end stations in that VLAN. Each VLAN is considered as a logical network, and packetsdestined for stations that do not belong to the VLAN must be forwarded through a bridge or a router.

All ports are assigned to the default VLAN (VLAN1) when the device first comes up. A VLAN interface, orswitched virtual interface (SVI), is a Layer 3 interface that is created to provide communication betweenVLANs.

The devices support 4094 VLANs in accordance with the IEEE 802.1Q standard. These VLANs are organizedinto several ranges, and you use each range slightly differently. Some of these VLANs are reserved for internaluse by the device and are not available for configuration.

Inter-Switch Link (ISL) trunking is not supported on the Cisco NX-OS.Note

Private VLANsPrivate VLANs provide traffic separation and security at the Layer 2 level.

A private VLAN is one or more pairs of a primary VLAN and a secondary VLAN, all with the same primaryVLAN. The two types of secondary VLANs are isolated and community VLANs. Hosts on isolated VLANscommunicate only with hosts in the primary VLAN. Hosts in a community VLAN can communicate onlyamong themselves and with hosts in the primary VLAN but not with hosts in isolated VLANs or in othercommunity VLANs.

Regardless of the combination of isolated and community secondary VLANs, all interfaces within the primaryVLAN comprise one Layer 2 domain, and therefore, require only one IP subnet.

Spanning TreeThis section discusses the implementation of the Spanning Tree Protocol (STP) on the software. Spanningtree is used to refer to IEEE 802.1w and IEEE 802.1s. When the IEEE 802.1D Spanning Tree Protocol isreferred to in the publication, 802.1D is stated specifically.

STP OverviewSTP provides a loop-free network at the Layer 2 level. Layer 2 LAN ports send and receive STP frames,which are called Bridge Protocol Data Units (BPDUs), at regular intervals. Network devices do not forwardthese frames but use the frames to construct a loop-free path.

802.1D is the original standard for STP, and many improvements have enhanced the basic loop-free STP.You can create a separate loop-free path for each VLAN, which is named Per VLAN Spanning Tree (PVST+).


OverviewVLANs

Additionally, the entire standard was reworked to make the loop-free convergence process faster to keep upwith the faster equipment. This STP standard with faster convergence is the 802.1w standard, which is knownas Rapid Spanning Tree (RSTP). Now, these faster convergence times are available as you create STP foreach VLAN, which is known as Per VLAN Rapid Spanning Tree (Rapid PVST+).

Finally, the 802.1s standard, Multiple Spanning Tree (MST), allows you to map multiple VLANs into a singlespanning tree instance. Each instance runs an independent spanning tree topology.

Although the software can interoperate with legacy 802.1D systems, the system runs Rapid PVST+ andMST.You can use either Rapid PVST+ or MST in a given VDC; you cannot mix both in one VDC. Rapid PVST+is the default STP protocol for Cisco NX-OS devices.

Cisco NX-OS uses the extended system ID and MAC address reduction; you cannot disable these features.Note

In addition, Cisco has created some proprietary features to enhance the spanning tree activities.

Rapid PVST+Rapid PVST+ is the default spanning tree mode for the software and is enabled by default on the defaultVLAN and all newly created VLANs.

A single instance, or topology, of RSTP runs on each configured VLAN, and each Rapid PVST+ instance ona VLAN has a single root device. You can enable and disable STP on a per-VLAN basis when you are runningRapid PVST+.

MSTThe software also supports MST. The multiple independent spanning tree topologies enabled byMST providemultiple forwarding paths for data traffic, enable load balancing, and reduce the number of STP instancesrequired to support a large number of VLANs.

MST incorporates RSTP, so it also allows rapid convergence. MST improves the fault tolerance of the networkbecause a failure in one instance (forwarding path) does not affect other instances (forwarding paths).

Changing the spanning tree mode disrupts the traffic because all spanning tree instances are stopped for theprevious mode and started for the new mode.

Note

You can force specified interfaces to send prestandard, rather than standard, MST messages using thecommand-line interface.

STP ExtensionsThe software supports the following Cisco proprietary features:

• Spanning tree port types—The default spanning tree port type is normal. You can configure interfacesconnected to Layer 2 hosts as edge ports and interfaces connected to Layer 2 switches or bridges asnetwork ports.


OverviewRapid PVST+

• Bridge Assurance—Once you configure a port as a network port, Bridge Assurance sends BPDUs on allports and moves a port into the blocking state if it no longer receives BPDUs. This enhancement isavailable only when you are running Rapid PVST+ or MST.

• BPDU Guard—BPDU Guard shuts down the port if that port receives a BPDU.

• BPDU Filter—BPDU Filter suppresses sending and receiving BPDUs on the port.

• Loop Guard—Loop guard helps prevent bridging loops that could occur because of a unidirectional linkfailure on a point-to-point link.

• Root Guard—The root guard feature prevents a port from becoming root port or blocked port. If a portconfigured for root guard receives a superior BPDU, the port immediately goes to the root-inconsistent(blocked) state.

VirtualizationCisco NX-OS devices introduce support for multiple virtual device contexts (VDCs) on a single switchingdevice. Each VDC is treated as a standalone device with specific resources, such as physical interfaces,allocated to each VDC by the network admin role. An administrator is assigned to each VDC and thatadministrator has a limited view of the system within that specific VDC. Faults are also isolated to within thespecific VDC.

This VDC concept applies to all features on Cisco NX-OS, including all Layer 2 switching features.

Figure 1: VDCs with Layer 2 Services

All processes work independently in each VDC. You can reuse the process identification numbers in different

VDCs. This figure shows how to reuse the VLAN 100 identifier in each separate VDC.

Each VDC acts as a standalone device with Layer 2 services available. VDCs allow you to share a physicaldevice among several logical functions. You can provision and assign entirely separate Layer 2 resources toindividual VDCs.

You can configure several VDCs, and each VDC is a group of physical device resources. You assign resourcesand user roles for each VDC. VDCs allows flexible resources as well as enhanced fault isolation.

VDCs allow the separation of processes and management environments, providing well-defined fault andadministrative boundaries between logical devices. Each VDC can be considered as a separate device withits own configuration, resources, users, and management interface.

VDCs define different administrator levels, or roles, that can access and administer each VDC. Commandsoutside the scope of a given user role are either hidden from that user’s view or can return an error if thecommand is entered. This feature limits the number of users who can access the entire physical device andintroduce traffic-disrupting misconfigurations.

Related TopicsThe following documents are related to the Layer 2 switching features:

• Cisco Nexus 7000 Series NX-OS Layer 2 Switching Command Reference

• Cisco DCNM Layer 2 Switching Configuration Guide


OverviewVirtualization

• Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide

• Cisco Nexus 7000 Series NX-OS Security Configuration Guide

• Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide

• Cisco NX-OS Licensing Guide

• Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide

• Cisco Nexus 7000 Series NX-OS System Management Configuration Guide


OverviewRelated Topics


OverviewRelated Topics

C H A P T E R 3Configuring Layer 2 Switching

This chapter describes how to configure Layer 2 switching using Cisco NX-OS.


• Finding Feature Information, on page 9• Information About Layer 2 Switching, on page 9• Prerequisites for Configuring MAC Addresses, on page 13• Guidelines and Limitations for Configuring MAC Addresses, on page 13• Default Settings for Layer 2 Switching, on page 14• Configuring Layer 2 Switching, on page 14• Verifying the Layer 2 Switching Configuration, on page 21• Configuration Example for Layer 2 Switching, on page 22• Additional References for Layer 2 Switching, on page 22• Feature History for Configuring Layer 2 Switching, on page 23

Finding Feature InformationYour software release might not support all the features documented in this module. For the latest caveatsand feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notesfor your software release. To find information about the features documented in this module, and to see a listof the releases in which each feature is supported, see the "New and Changed Information"chapter or theFeature History table in this chapter.

Information About Layer 2 Switching

See theCisco Nexus 7000 Series NX-OS Interfaces Configuration Guide for information on creating interfaces.Note

You can configure Layer 2 switching ports as access or trunk ports. Trunks carry the traffic of multiple VLANsover a single link and allow you to extend VLANs across an entire network. All Layer 2 switching portsmaintain MAC address tables.



See the Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide for complete informationon high-availability features.

Note

Layer 2 Ethernet Switching OverviewThe device supports simultaneous, parallel connections between Layer 2 Ethernet segments. Switchedconnections between Ethernet segments last only for the duration of the packet. New connections can be madebetween different segments for the next packet.

The device solves congestion problems caused by high-bandwidth devices and a large number of users byassigning each device (for example, a server) to its own domain. Because each LAN port connects to a separateEthernet collision domain, servers in a switched environment achieve full access to the bandwidth.

Because collisions cause significant congestion in Ethernet networks, an effective solution is full-duplexcommunication. Typically, 10/100-Mbps Ethernet operates in half-duplex mode, which means that stationscan either receive or transmit. In full-duplex mode, which is configurable on these interfaces, two stationscan transmit and receive at the same time. When packets can flow in both directions simultaneously, theeffective Ethernet bandwidth doubles. 1/10-Gigabit Ethernet operates in full duplex only.

Switching Frames Between SegmentsEach LAN port on a device can connect to a single workstation, server, or to another device through whichworkstations or servers connect to the network.

To reduce signal degradation, the device considers each LAN port to be an individual segment. When stationsconnected to different LAN ports need to communicate, the device forwards frames from one LAN port tothe other at wire speed to ensure that each session receives full bandwidth.

To switch frames between LAN ports efficiently, the device maintains an address table. When a frame entersthe device, it associates the media access control (MAC) address of the sending network device with the LANport on which it was received.

Building the Address Table and Address Table ChangesThe device dynamically builds the address table by using the MAC source address of the frames received.When the device receives a frame for a MAC destination address not listed in its address table, it floods theframe to all LAN ports of the same VLAN except the port that received the frame. When the destinationstation replies, the device adds its relevant MAC source address and port ID to the address table. The devicethen forwards subsequent frames to a single LAN port without flooding all LAN ports.

You can configure MAC addresses, which are called static MAC addresses, to statically point to specifiedinterfaces on the device. These static MAC addresses override any dynamically learned MAC addresses onthose interfaces. You cannot configure broadcast addresses as static MAC addresses. Beginning with CiscoNX-OS Release 5.2(1), multicast MAC addresses can be configured as static MAC addresses. For furtherinformation, see the “Configuring IGMP Snooping” of theCisco Nexus 7000 Series NX-OS Multicast RoutingConfiguration Guide. The static MAC entries are retained across a reboot of the device.

Beginning with Cisco NX-OS Release 4.1(5), you must manually configure identical static MAC addresseson both devices connected by a virtual port channel (vPC) peer link. The MAC address table display isenhanced to display information on MAC addresses when you are using vPCs.

See the Cisco Nexus 7000 Series NX-OS Interfaces Configuration Guide for information about vPCs.


Configuring Layer 2 SwitchingLayer 2 Ethernet Switching Overview

The address table can store a number of MAC address entries depending on the hardware I/O module. Thedevice uses an aging mechanism, defined by a configurable aging timer, so if an address remains inactive fora specified number of seconds, it is removed from the address table.

See the Cisco Nexus 7000 Series NX-OS Security Command Reference for information onMAC port security.

Consistent MAC Address Tables on the Supervisor and on the ModulesOptimally, all theMAC address tables on each module exactly match theMAC address table on the supervisor.Beginning with Cisco NX-OS 4.1(2), when you enter the show forwarding consistency l2 command, thedevice displays discrepant, missing, and extra MAC address entries.

Layer 3 Static MAC AddressesBeginning with Release 4.2, you can configure a static MAC address for all Layer 3 interfaces. The defaultMAC address for the Layer 3 interfaces is the VDC MAC address.

You can configure a static MAC address for the following Layer 3 interfaces:

• Layer 3 interfaces

• Layer 3 subinterfaces

• Layer 3 port channels

• VLAN network interface

You cannot configure static MAC address on tunnel interfaces.Note

See theCisco Nexus 7000 Series NX-OS Interfaces Configuration Guide for information on configuring Layer3 interfaces.

High Availability for SwitchingYou can upgrade or downgrade the software seamlessly, with respect to classical Ethernet switching. Beginningwith Release 4.2(1), if you have configured staticMAC addresses on Layer 3 interfaces, you must unconfigurethose ports in order to downgrade the software.

See the Cisco Nexus 7000 Series NX-OS High Availability and Redundancy Guide for complete informationon high availability features.

Note

Virtualization Support for Layer 2 SwitchingThe device supports virtual device contexts (VDCs), and the configuration and operation of the MAC addresstable are local to the VDC.


Configuring Layer 2 SwitchingConsistent MAC Address Tables on the Supervisor and on the Modules

See theCisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide for complete informationon VDCs and assigning resources.

Note

MAC Address MovementRapid MAC address movement, caused by either Layer 2 loop or other system events (for example:misconfiguration, dual-active server cluster, and so on), if not limited could eventually overload the supervisorand potentially impact other processes. Such situation might lead to an overall instability of the control plane.To avoid this situation rapid MAC move protection has been implemented in the processes that handle MACaddresses learning.

MAC Move Protection

The following methods protect the SUP from excessive mac move:

• Software throttle: Using mac address loop-detect flow-control-fe command.

• Hardware throttle: Using mac address loop-detect disable-learn-vlan command.

Software throttling is enabled by default and this is the recommended method. You can use only one throttlingmethod at a time. The throttling commands should be executed within a VDC.

Software Throttle

In software throttle, the mac-move notifications are throttled so the rate of mac-move notification is limitedfrom the module to the supervisor.

This throttling is usually done per Forwarding Engine [FE] (per ASIC level) on a specific module. If necessary(for example: during rapid mac move across all modules in the system) global throttling is invoked that wouldthrottle notification from all FEs on all modules in order protect the supervisor.

Hardware Throttle

In hardware throttle, mac-learning is disabled on a particular VLAN (for all FE and all modules) for specifictime and then re-enabled. This throttling can be done per VLAN level (per VLAN throttle) or for all VLANs(global throttle).

Increasing the Throttle

In case the software throttle is found to be inadequate, in extreme cases, the mac-move information sent fromthe line card module is reduced.

This method is not a recommended option and should be exercised with caution.

Increasing the threshold could make the system unstable if not set accordingly to the device scale.Note

The reduction in mac-move information sent is done in two ways:.

• Reduce number of notifications that can be batched.

• Change/increase the time-period after which this notification batch can be sent from the module to thesupervisor module.


Configuring Layer 2 SwitchingMAC Address Movement

Use the mac address throttle-buffer-intv { max |optimal} command (to be executed within a VDC) toincrease the throttle by tuning the throttle buffer and the scan duration on the line card module.

When the max keyword is used, the throttling is maximum. It means information sent from the line cardmodule to the supervisor is reduced and are spaced out more.

When the optimal keyword is used, the throttling is medium.

When this command is not used, the throttling is minimum (which is the default).

Prerequisites for Configuring MAC AddressesMAC addresses have the following prerequisites:

• You must be logged onto the device.

Guidelines and Limitations for Configuring MAC AddressesMAC addresses have the following configuration guidelines and limitations:

Age GroupMAC Address Table

128,000 entriesM1 Line Cards

16,000 to 256,000 entriesF1 Line Cards

16,000 to 192,000 entriesF2 and F2e Line Cards

The F2 and F2e modules synchronize the MAC address tables for a VLAN across all Switch on Chips (SoCs)present in a virtual device context (VDC) when a switch virtual interface (SVI) for the VLAN is configured.Synchronizing the MAC address tables can reduce the number of MAC addresses supported in a VDC to16,000.

Note

Beginning with NX-OSRelease 6.0.1, the learningmode feature is supported. Learningmode has the followingconfiguration guidelines and limitations:

Fabric PathNonconversationalLearning

Fabric PathConversationalLearning

Classic Ethernet(CE) ConversationalLearning Supported

Classic Ethernet(CE)NonconversationalLearning Supported

Line Cards

NANANAYesM1

NoYesYesYesF1

Yes, if the switchvirtual interface(SVI) is configured.

YesYesYesF2 and F2e


Configuring Layer 2 SwitchingPrerequisites for Configuring MAC Addresses

When you configure a static MAC address on a vPC switch, ensure to configure a corresponding static MACaddress on the other vPC switch. If you configure the static MAC address only on one of the vPC switches,the other vPC switch will not learn the MAC address dynamically.

Note

Default Settings for Layer 2 SwitchingThis table lists the default setting for Layer 2 switching parameters.

Table 1: Default Layer 2 Switching Parameters

DefaultParameters

1800seconds

Aging time

Configuring Layer 2 Switching

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature mightdiffer from the Cisco IOS commands that you would use.

Note

Configuring a Static MAC AddressYou can configure MAC addresses, which are called static MAC addresses, to statically point to specifiedinterfaces on the device. These static MAC addresses override any dynamically learned MAC addresses onthose interfaces. You cannot configure broadcast addresses as static MAC addresses. Beginning with CiscoNX-OS Release 5.2(1), multicast MAC addresses can be configured as static MAC addresses. For furtherinformation, see the "Configuring IGMP Snooping" of theCisco Nexus 7000 Series NX-OS Multicast RoutingConfiguration Guide.

Before you begin

Before you configure static MAC addresses, ensure that you are in the correct VDC (or enter the switchtovdc command).

Procedure

PurposeCommand or Action

Enters global configuration mode.config t

Example:

Step 1

switch# config tswitch(config)#


Configuring Layer 2 SwitchingDefault Settings for Layer 2 Switching


Specifies a static MAC address to add to theLayer 2 MAC address table.

mac address-table static mac-address vlanvlan-id {[drop | interface {type slot/port} |port-channel number]}

Step 2

Example:switch(config)# mac address-table static1.1.1 vlan 2 interface ethernet 1/2

Exits global configuration mode.exit

Example:

Step 3

switch(config)# exitswitch#

Displays the static MAC addresses.(Optional) show mac address-table static

Example:

Step 4

switch# show mac address-table static

Copies the running configuration to the startupconfiguration.

(Optional) copy running-configstartup-config

Example:

Step 5

switch# copy running-configstartup-config

Example

This example shows how to put a static entry in the Layer 2 MAC address table:switch# config tswitch(config)# mac address-table static 1.1.1 vlan 2 interface ethernet 1/2switch(config)#

Configuring a Static MAC Address on a Layer 3 InterfaceBeginning with Release 4.2(1), you can configure static MAC addresses on Layer 3 interfaces. You cannotconfigure broadcast addresses as staticMAC addresses. Beginning with Cisco NX-OSRelease 5.2(1), multicastMAC addresses can be configured as static MAC addresses. For further information, see the "ConfiguringIGMP Snooping" of the Cisco Nexus 7000 Series NX-OS Multicast Routing Configuration Guide.

You cannot configure static MAC addresses on tunnel interfaces.Note

See theCisco Nexus 7000 Series NX-OS Interfaces Configuration Guide for information on configuring Layer3 interfaces.


Configuring Layer 2 SwitchingConfiguring a Static MAC Address on a Layer 3 Interface

Before you begin

Before you configure static MAC addresses, ensure that you are in the correct VDC (or enter the switchtovdc command).

Procedure



Example:

Step 1


Specifies the Layer 3 interface and entersinterface configuration mode.

interface [ethernet slot/port | ethernetslot/port.number | port-channel number | vlanvlan-id]

Step 2

You must create the Layer 3interface before you can assign thestatic MAC address.

NoteExample:switch(config)# interface ethernet 7/3

Specified a static MAC address to add to theLayer 3 interface.

mac-address mac-address

Example:

Step 3

switch(config-if)# mac-address22ab.47dd.ff89switch(config-if)#

Exits interface configuration mode.exit

Example:

Step 4

switch(config-if)# exitswitch(config)#

Displays information about the Layer 3interface.

(Optional) show interface [ethernet slot/port| ethernet slot/port.number | port-channelnumber | vlan vlan-id]

Step 5

Example:switch# show interface ethernet 7/3



Example:

Step 6


Example

This example shows how to configure the Layer 3 interface on slot 7, port 3 with a static MACaddress:switch# config tswitch(config)# interface ethernet 7/3


Configuring Layer 2 SwitchingConfiguring a Static MAC Address on a Layer 3 Interface

switch(config-if)# mac-address 22ab.47dd.ff89switch(config-if)#

Configuring the Aging Time for the MAC Address TableYou can configure the amount of time that a MAC address entry (the packet source MAC address and porton which that packet was learned) remains in the MAC address table, which contains the Layer 2 information.

You can also configure the MAC aging time in interface configuration mode or VLAN configuration mode.Note

Before you begin

Before you configure the aging time for the MAC address table, ensure that you are in the correct VDC (orenter the switchto vdc command).

Procedure



Example:

Step 1


Specifies the time before an entry ages out andis discarded from the Layer 2 MAC address

mac address-table aging-time seconds [vlanvlan_id]

Step 2

table. The range is from 120 to 918000; theExample: default is 1800 seconds. Entering the value 0

disables the MAC aging.switch(config)# mac address-tableaging-time 600


Example:

Step 3


Displays the aging time configuration forMACaddress retention.

(Optional) show mac address-tableaging-time

Example:

Step 4

switch# show mac address-table aging-time



Example:

Step 5



Configuring Layer 2 SwitchingConfiguring the Aging Time for the MAC Address Table

Example

This example shows how to set the ageout time for entries in the Layer 2 MAC address table to 600seconds (10 minutes):switch# config tswitch(config)# mac address-table aging-time 600switch(config)#

Configuring Learning Mode for VLANsBeginning with NX-OS Release 6.0.1, configuring the learning mode for VLANs is supported. Based on thelearning mode configured, the Cisco NX-OS software can install MAC addresses in hardware eitherconversationally or nonconversationally.

Before you begin

Before you configure the learning mode for VLANs, ensure that you are in the correct VDC (or enter theswitchto vdc command).

Procedure



Example:

Step 1


Specifies the learning mode for the Layer 2MAC address table. The options are

mac address-table learning-modeconversational vlan-range of CE-vlans

Step 2

conversational learning and nonconversationallearning.Example:

switch(config)# mac address-tablelearning-mode conversational vlan1


Example:

Step 3


Example

This example shows how to set the learning mode to conversational for the VLANs:switch# config tswitch(config)# mac address-table learning-mode conversational vlan1switch(config)# endswitch(config)# show mac address-table learning-mode


Configuring Layer 2 SwitchingConfiguring Learning Mode for VLANs

Enabling MAC Move Protection

Procedure



Example:

Step 1


Enables FE-based flow control to turn on thesoftware throttle for mac-move protection forall FEs on all line cards.

mac address loop-detect flow-control-feglobal-thresh-time threshold-timeglobal-thresh-count threshold-count

Example:

Step 2

switch(config)# mac address loop-detectflow-control-fe global-thresh-time 5

global-thresh-count 500

Enables FE-based flow control to turn on thesoftware throttle for mac-move protection fora specific FE (per ASIC level).

mac address loop-detect flow-control-fethreshold-time threshold-time threshold-countthreshold-count

Example:

Step 3

switch(config)# mac address-tableloop-detect flow-control-fethreshold-time 5 threshold-count 500

Disables the mac-learning for all VLANs(global throttle).

mac address loop-detect disable-learn-vlanglobal-thresh-time threshold-timeglobal-thresh-count threshold-count

Step 4

Example:switch(config)# mac address loop-detectdisable-learn-vlan global-thresh-time

5 global-thresh-count 500

Disables the mac-learning per VLAN (perVLAN throttle).

mac address loop-detect disable-learn-vlanthreshold-time threshold-timethreshold-count threshold-count

Step 5

Example:switch(config)# mac address loop-detectflow-control-fe threshold-time 5

threshold-count 500

Uses maximum scan interval and buffer size toincrease/decrease the throttle; and to effectmaximum throttle.

mac address throttle-buffer-intv max

Example:switch(config)# mac addressthrottle-buffer-intv max

Step 6

Uses optimal scan interval and buffer size tothrottle at a medium level..

mac address throttle-buffer-intv optimal

Example:

Step 7


Configuring Layer 2 SwitchingEnabling MAC Move Protection

PurposeCommand or Actionswitch(config)# mac addressthrottle-buffer-intv optimal


Example:

Step 8


Checking the Consistency of MAC Address TablesBeginning with Release 4.1(2). you can check the match between the MAC address table on the supervisorand all the modules.

Procedure


Displays the discrepant, missing, and extraMAC addresses between the supervisor and thespecified module.

show forwarding consistency l2{module_number}

Example:

Step 1

switch# show forwarding consistency l27switch#

Example

This example shows how to display discrepant, missing, and extra entries in the MAC address tablesbetween the supervisor and the specified module:switch# show forwarding consistency l2 7switch#

Clearing Dynamic Addresses from the MAC Address TableYou can clear all dynamic Layer 2 entries in the MAC address table.

Before you begin

Before you clear the dynamicMAC address table, ensure that you are in the correct VDC (or enter the switchtovdc command).


Configuring Layer 2 SwitchingChecking the Consistency of MAC Address Tables

Procedure


Clears the dynamic address entries from theMAC address table in Layer 2.

clear mac address-table dynamic {addressmac_addr} {interface [ethernet slot/port |loopback number | port-channelchannel-number]} {vlan vlan_id}

Step 1

Example:

switch# clear mac address-table dynamic

Displays the MAC address table.(Optional) show mac address-table

Example:

Step 2

switch# show mac address-table

Example

This example shows how to clear the dynamic entries in the Layer 2 MAC address table:switch# clear mac address-table dynamicswitch#

Verifying the Layer 2 Switching ConfigurationTo display Layer 2 switching configuration information, perform one of the following tasks:

PurposeCommand

Displays information about the MAC address table.show mac address-table

Displays information about the aging time set for the MACaddress entries.

show mac address-table aging-time

Displays information about the static entries on the MACaddress table.

show mac address-table static

Displays theMAC addresses and the burned inMAC addressesfor the interfaces.

show interface [interface] mac-address

Displays discrepant, missing, and extraMAC addresses betweenthe tables on the module and the supervisor.

show forwarding consistency l2 {module}

For information on the output of these commands, see the Cisco Nexus 7000 Series NX-OS Layer 2 SwitchingCommand Reference.


Configuring Layer 2 SwitchingVerifying the Layer 2 Switching Configuration

Configuration Example for Layer 2 SwitchingThe following example shows how to add a static MAC address and how to modify the default global agingtime for MAC addresses:switch# configure terminalswitch(config)# mac address-table static 0000.0000.1234 vlan 10 interface ethernet 2/15switch(config)# mac address-table aging-time 120

Additional References for Layer 2 SwitchingRelated Documents

Document TitleRelated Topic

Cisco Nexus 7000 Series NX-OS Security Configuration GuidePort security, static MAC addresses

Cisco Nexus 7000 Series NX-OS Interfaces Configuration GuideInterfaces

Cisco Nexus 7000 Series NX-OS Layer 2 Switching Command ReferenceCommand reference

Cisco Nexus 7000 Series NX-OS High Availability and RedundancyGuide

High availability

Cisco Nexus 7000 Series NX-OS Virtual Device Context ConfigurationGuide

VDCs

Cisco Nexus 7000 Series NX-OS System Management ConfigurationGuide

System management

Cisco NX-OS Licensing GuideLicensing

Cisco Nexus 7000 Series NX-OS Release NotesRelease Notes

Standards

TitleStandards

—No new or modified standards are supported by this feature, and support for existing standards has notbeen modified by this feature.


Configuring Layer 2 SwitchingConfiguration Example for Layer 2 Switching

Feature History for Configuring Layer 2 SwitchingThis table lists the release history for this feature.

Table 2: Feature History for Configuring Layer 2 Switching

Feature InformationReleasesFeature Name

MAC move protection usingsoftware throttle and hardwarethrottle is supported.

8.2(3)MAC move protection

You can configureconversational ornonconversational learningmode for VLANs.

6.0(1)Learning mode for VLANs

You can configure a Layer 3interface with a static MACaddress.

4.2(1)Layer 3 interface static MACaddresses

This display providesadditional information whenvPC is enabled and running.

4.1(2)show mac address-table

The show forwardingconsistency l2 commanddisplays inconsistent entrieson the MAC address tablebetween the modules.

4.1(2)Layer 2 consistency


Configuring Layer 2 SwitchingFeature History for Configuring Layer 2 Switching


Configuring Layer 2 SwitchingFeature History for Configuring Layer 2 Switching

C H A P T E R 4Configuring VLANs

This chapter describes how to configure virtual LANs (VLANs) on Cisco NX-OS devices.


• Finding Feature Information, on page 25• Information About VLANs, on page 25• Prerequisites for Configuring VLANs, on page 28• Guidelines and Limitations for Configuring VLANs, on page 28• Default Settings for VLANs, on page 28• Configuring a VLAN, on page 29• Verifying the VLAN Configuration, on page 39• Displaying and Clearing VLAN Statistics, on page 39• Configuration Example for VLANs, on page 40• Additional References for VLANs, on page 40• Feature History for Configuring VLANs, on page 41

Finding Feature InformationYour software release might not support all the features documented in this module. For the latest caveatsand feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notesfor your software release. To find information about the features documented in this module, and to see a listof the releases in which each feature is supported, see the "New and Changed Information"chapter or theFeature History table in this chapter.

Information About VLANsYou can use VLANs to divide the network into separate logical areas at the Layer 2 level. VLANs can alsobe considered as broadcast domains.

Any switch port can belong to a VLAN, and unicast broadcast and multicast packets are forwarded and floodedonly to end stations in that VLAN. Each VLAN is considered a logical network, and packets destined forstations that do not belong to the VLAN must be forwarded through a router.



Understanding VLANsAVLAN is a group of end stations in a switched network that is logically segmented by function or application,without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, butyou can group end stations even if they are not physically located on the same LAN segment.

Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded andflooded only to end stations in that VLAN. Each VLAN is considered as a logical network, and packetsdestined for stations that do not belong to the VLANmust be forwarded through a router. The following figureshows VLANs as logical networks. The stations in the engineering department are assigned to one VLAN,the stations in the marketing department are assigned to another VLAN, and the stations in the accountingdepartment are assigned to another VLAN.

VLANs are usually associated with IP subnetworks. For example, all the end stations in a particular IP subnetbelong to the same VLAN. To communicate between VLANs, you must route the traffic.

By default, a newly created VLAN is operational; that is, the newly created VLAN is in the no shutdowncondition. Additionally, you can configure VLANs to be in the active state, which is passing traffic, or thesuspended state, in which the VLANs are not passing packets. By default, the VLANs are in the active stateand pass traffic.

VLAN Ranges

The extended system ID is always automatically enabled in Cisco NX-OS devices.Note

The device supports up to 4094 VLANs in accordance with the IEEE 802.1Q standard. The software organizesthese VLANs into ranges, and you use each range slightly differently.

For information about configuration limits, see the documentation for your switch.

This table describes the VLAN ranges.

Table 3: VLAN Ranges

UsageRangeVLANs Numbers

Cisco default. You can use this VLAN, but you cannot modifyor delete it.

Normal1

You can create, use, modify, and delete these VLANs.Normal2 to 1005

You can create, name, and use these VLANs. You cannotchange the following parameters:

• The state is always active.

• The VLAN is always enabled. You cannot shut downthese VLANs.

Extended1006 to 3967 and 4048 to4093

These 80 VLANs and VLAN 4094 are allocated for internaldevice use. You cannot create, delete, or modify any VLANswithin the block reserved for internal use.

Internally allocated3968 to 4047 and 4094


Configuring VLANsUnderstanding VLANs

The software allocates a group of VLAN numbers for features such as multicast and diagnostics that need touse internal VLANs for their operation. You cannot use, modify, or delete any of the VLANs in the reservedgroup. You can display the VLANs that are allocated internally and their associated use.

Creating, Deleting, and Modifying VLANs

By default, all Cisco NX-OS ports are Layer 3 ports.Note

VLANs are numbered from 1 to 4094 for each VDC. All ports that you have configured as switch ports belongto the default VLAN when you first bring up the switch as a Layer 2 device. The default VLAN (VLAN1)uses only default values, and you cannot create, delete, or suspend activity in the default VLAN.

You create a VLAN by assigning a number to it; you can delete VLANs and move them from the activeoperational state to the suspended operational state. If you attempt to create a VLAN with an existing VLANID, the device goes into the VLAN submode but does not create the same VLAN again.

Newly created VLANs remain unused until Layer 2 ports are assigned to the specific VLAN. All the portsare assigned to VLAN1 by default.

Depending on the range of the VLAN, you can configure the following parameters for VLANs (except thedefault VLAN):

• VLAN name

• VLAN state

• Shutdown or not shutdown

When you delete a specified VLAN, the ports associated to that VLAN become inactive and no traffic flows.When you delete a specified VLAN from a trunk port, only that VLAN is shut down and traffic continues toflow on all the other VLANs through the trunk port.

However, the system retains all the VLAN-to-port mapping for that VLAN, and when you reenable or re-create,that specified VLAN, the system automatically reinstates all the original ports to that VLAN. The static MACaddresses and aging time for that VLAN are not restored when the VLAN is reenabled.

High Availability for VLANsThe software supports high availability for both stateful and stateless restarts, as during a cold reboot, forVLANs. For the stateful restarts, the software supports a maximum of three retries. If you try more than 3times within 10 seconds of a restart, the software reloads the supervisor module.

You can upgrade or downgrade the software seamlessly when you use VLANs.

Virtualization Support for VLANsThe software supports virtual device contexts (VDCs), and VLAN configuration and operation are local tothe VDC.

When you create a new VDC, the device automatically creates a new default VLAN, VLAN1, and internallyreserves VLANs for device use.


Configuring VLANsCreating, Deleting, and Modifying VLANs

One or more VLANs can be associated with a role to either allow or disallow the user to configure it. Whena VLAN is associated with a role, the corresponding interfaces will also be subjected to the same check. Forinstance, if a role is allowed to access VLAN1, that role also has access to the interfaces that have that VLAN.If an interface does not have the VLAN associated with a role, that interface is not accessible to that role.

Prerequisites for Configuring VLANsVLANs have the following prerequisites:

• You must be logged onto the device.

• You must create the VLAN before you can do any modification of that VLAN.

Guidelines and Limitations for Configuring VLANsVLANs have the following configuration guidelines and limitations:

• The maximum number of VLANs per VDC is 4094.

• VLAN 4094 is a reserved VLAN.

• You cannot create, modify, or delete any VLANs that are within the group of VLANs reserved for internaluse.

• VLAN1 is the default VLAN. You cannot create, modify, or delete this VLAN.

• VLANs 1006 to 4094 are always in the active state and are always enabled. You cannot suspend the stateor shut down these VLANs.

• An interface policer and CoPP classification does not work for the Layer 2 control traffic in native VLANin the following scenarios:

• When the native vlan (ID other than 1) command is configured on the interface and the nativeVLAN ID is missing in the configuration.

• If the vlan dot1q tag native exclude control command is configured.

Default Settings for VLANsThis table lists the default settings for VLAN parameters.

Table 4: Default VLAN Parameters

DefaultParameters

EnabledVLANs

VLAN1—A port is placed inVLAN1 when you configure it asa switch port.

VLAN


Configuring VLANsPrerequisites for Configuring VLANs

DefaultParameters

1VLAN ID

• Default VLAN(VLAN1)—default

• All other VLANs—VLANvlan-id

VLAN name

ActiveVLAN state

Enabled; Rapid PVST+ is enabledSTP

DisabledVTP

1VTP version

Configuring a VLAN

Creating and Deleting a VLANYou can create or delete all VLANs except the default VLAN and those VLANs that are internally allocatedfor use by the device.

Once a VLAN is created, it is automatically in the active state.

When you delete a VLAN, ports associated to that VLAN become inactive. Therefore, no traffic flows andthe packets are dropped. On trunk ports, the port remains open and the traffic from all other VLANs exceptthe deleted VLAN continues to flow.

Note

If you create a range of VLANs and some of these VLANs cannot be created, the software returns a messagelisting the failed VLANs, and all the other VLANs in the specified range are created.

You can also create and delete VLANs in the VLAN configuration submode.Note

Before you begin

Ensure that you are in the correct VDC (or enter the switchto vdc command). You can repeat VLAN namesand IDs in different VDCs, so you must confirm that you are working in the correct VDC.


Configuring VLANsConfiguring a VLAN

Procedure



Example:

Step 1


Creates a VLAN or a range or VLANs. If youenter a number that is already assigned to a

vlan {vlan-id | vlan-range}

Example:

Step 2

VLAN, the device puts you into the VLANswitch(config)# vlan 5switch(config-vlan)#

configuration submode for that VLAN. If youenter a number that is assigned to an internallyallocated VLAN, the system returns an errormessage. However, if you enter a range ofVLANs and one or more of the specifiedVLANs is outside the range of internallyallocated VLANs, the command takes effect ononly those VLANs outside the range. The rangeis from 2 to 4094; VLAN1 is the default VLANand cannot be created or deleted. You cannotcreate or delete those VLANs that are reservedfor internal use.

Exits the VLAN mode.exit

Example:

Step 3

switch(config-vlan)# exitswitch(config)#

Displays information about the VLANs.(Optional) show vlan

Example:

Step 4

switch# show vlan



Example:

Step 5

switch(config)# copy running-configstartup-config

Example

This example shows how to create a range of VLANs from 15 to 20:

switch# config tswitch(config)# vlan 15-20switch(config-vlan)# exitswitch(config)#


Configuring VLANsCreating and Deleting a VLAN

Entering the VLAN Configuration SubmodeTo configure or modify the VLAN for the following parameters, you must be in the VLAN configurationsubmode:

• Name

• State

• Shut down

Before you begin

Ensure that you are in the correct VDC (or enter the switchto vdc command). You can repeat VLAN namesand IDs in different VDCs, so you must confirm that you are working in the correct VDC.

Procedure



Example:

Step 1


Places you into VLAN configuration submode.This submode allows you to name, set the state,


Example:

Step 2

disable, and shut down the VLAN or range ofVLANs.switch(config)# vlan 5

switch(config-vlan)#

You cannot change any of these values forVLAN1 or the internally allocated VLANs.

Exits VLAN configuration mode.exit

Example:

Step 3


Displays information and status of VLANs.(Optional) show vlan

Example:

Step 4

switch# show vlan



Example:

Step 5


Example

This example shows how to enter and exit VLAN configuration submode:


Configuring VLANsEntering the VLAN Configuration Submode

switch# config tswitch(config)# vlan 15switch(config-vlan)# exitswitch(config)#

Configuring a VLANTo configure or modify a VLAN for the following parameters, you must be in VLAN configuration submode:

• Name

• State

• Shut down

You cannot create, delete, or modify the default VLAN or the internally allocated VLANs. Additionally, someof these parameters cannot be modified on some VLANs.

Note

Before you begin

Ensure that you are in the correct VDC (or enter the switchto vdc command). VLAN names and IDs can berepeated in different VDCs, so you must confirm which VDC that you are working in.

Procedure



Example:

Step 1


Places you into VLAN configuration submode.If the VLAN does not exist, the system creates


Example:

Step 2

the specified VLAN and then enters the VLANconfiguration submode.switch(config)# vlan 5

switch(config-vlan)#

Names the VLAN. You can enter up to 32alphanumeric characters to name the VLAN.

name vlan-name

Example:

Step 3

You cannot change the name of VLAN1 or theswitch(config-vlan)# name accounting internally allocated VLANs. The default value

is VLANxxxx where xxxx represents fournumeric digits (including leading zeroes) equalto the VLAN ID number.

The system vlan long-name command allowsyou to enable VLAN names that have up to 128characters.




Sets the state of the VLAN to active or suspend.While the VLAN state is suspended, the ports

state {active | suspend}

Example:

Step 4

associated with this VLAN become inactive,switch(config-vlan)# state active and that VLAN does not pass any traffic. The

default state is active. You cannot suspend thestate for the default VLAN or VLANs 1006 to4094.

Enables the VLAN. The default value is noshutdown (or enabled). You cannot shut down

no shutdown

Example:

Step 5

the default VLAN, VLAN1, or VLANs 1006to 4094.switch(config-vlan)# no shutdown

Exits VLAN configuration submode.exit

Example:

Step 6


Displays information about the VLANs.(Optional) show vlan

Example:

Step 7

switch# show vlan

Displays information about theVLANTrunkingProtocol (VTP).

(Optional) show vtp status

Example:

Step 8

switch# show vtp status



Step 9

Example: Commands entered in VLANconfiguration submode areimmediately executed. Beginningwith Cisco Release 5.1 for Nexus7000 series devices, you must exitthe VLAN configuration submodefor configuration changes to takeeffect.

Note


Example

This example shows how to configure optional parameters for VLAN 5:switch# config tswitch(config)# vlan 5switch(config-vlan)# name accountingswitch(config-vlan)# state activeswitch(config-vlan)# no shutdownswitch(config-vlan)# exitswitch(config)#



Changing the Range of Reserved VLANsTo change the range of reserved VLANs, you must be in global configuration mode. After entering thiscommand, you must do the following tasks:

• Enter the copy running-config startup-config command

• Reload the device

Procedure



Example:

Step 1


Allows you to change the reservedVLAN rangeby specifying the starting VLAN ID for yourdesired range.

system vlan start-vlan reserve

Example:switch(config)# system vlan 3968 reserve

Step 2

You can change the reserved VLANs to anyother 128 contiguous VLAN ranges.When youreserve such a range, it frees up the range ofVLANs that were allocated for internal use bydefault, and all of those VLANs are availablefor user configuration except for VLAN 4094.

To return to the default range ofreserved VLANs (3968-4049 and4094), you must enter the no systemvlan start-vlan reserve command.

Note


copy running-config startup-config

Example:

Step 3

You must enter this command if youchange the reserved block.

Noteswitch(config)# copy running-configstartup-config

Reloads the software, and modifications toVLAN ranges become effective.

reload

Example:

Step 4

For more details about this command, see theCisco Nexus 7000 Series NX-OS FundamentalsConfiguration Guide, Release 6.x.

switch(config)# reload

Displays the configured changes to the VLANrange.

(Optional) show system vlan reserved

Example:

Step 5

switch(config)# show system vlan reserved


Configuring VLANsChanging the Range of Reserved VLANs

Example

This example shows how to change the range of reserved VLANs:

switch# configuration terminalswitch(config)# system vlan 2000 reserveThis will delete all configs on vlans 2000-2081. Continue anyway? (y/n) [no] yNote: After switch reload, VLANs 2000-2081 will be reserved for internal use.

This requires copy running-config to startup-config beforeswitch reload. Creating VLANs within this range is not allowed.

switch(config)#

You must reload the device for this change to take effect.Note

Configuring a VLAN Before Creating the VLANBeginning with Cisco NX-OS Release 5.1(1), you can configure a VLAN before you create the VLAN. Thisprocedure is used for IGMP snooping, VTP, and other configurations.

The show vlan command does not display these VLANs unless you create the VLANs using the vlan command.Note

Procedure



Example:

Step 1


Allows you to configure VLANs withoutactually creating them.

vlan configuration {vlan-id}

Example:

Step 2

switch(config)# vlan configuration 20switch(config-vlan-config)#

Example

This example shows how to configure a VLAN before creating it:switch# config tswitch(config)# vlan configuration 20switch(config-vlan-config)#


Configuring VLANsConfiguring a VLAN Before Creating the VLAN

Configuring VLAN Long-Name

If VTP is enabled, it must be in transparent or in off mode. VTP cannot be in client or server mode. For moredetails about VTP, see the Configuring VTP chapter.

Note

Procedure

Step 1 configure terminal

Example:switch# configure terminal

Enters global configuration mode.

Step 2 system vlan long-name

Example:switch(config)# system vlan long-name

Allows you to configure the length of VLAN names up to 128 characters.

Enabling or disabling the system vlan long-name command will trigger a system log message thatwill let you know if the VLAN long name is enabled or disabled.

Note

If you try to enable or disable the system vlan long-name command, when it is already enabled or disabled,the systemwill throw error message.We recommend you view the status of the VLAN long-name knob beforeenabling or disabling this command.

Use the no form of this command to disable this feature.

Step 3 (Optional) copy running-config startup-config

Example:switch(config)# copy running-config startup-config

Saves the change persistently through reboots and restarts by copying the running configuration to the startupconfiguration.

Step 4 show running-config | sec long-name

Example:switch(config)# show running-config | sec long-name

Displays the VLAN long-name status information.

When you configure a VLAN name of more than 32 characters, the show vlan commands will showthe output in mulitple lines with each line containing a maximum of 32 characters.

Note


Configuring VLANsConfiguring VLAN Long-Name

Example

This example shows how to configure VLAN long-names of up to 128 characters.switch# configure terminalswitch(config)# system vlan long-name!2001 Sep 29 02:24:11 N72-3 %$ VDC-1 %$ %VLAN_MGR-2-CRITICAL_MSG: VLAN long name is Enabled!switch(config)# copy running config startup configswitch(config)# show running-config | sec long-nameswitch# configure terminalswitch(config)# vlan 2switch(config-vlan)# nameVLAN128Char000000000000000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002

switch(config-vlan)# exitswitch# show vlan id 2

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------2 VLAN128Char000000000000000040000 active000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002...

The following example displays the error output if you try to configure a VLAN long name of morethan 128 characters.switch# system vlan long-nameswitch(config)# vlan 2switch(config-vlan)# name129Char123456789000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000987654321CiscoBangalore

!% String exceeded max length of (128) at '^' marker.!Switch(config-vlan)# exit

The following example displays the error output if you try to configure VLAN name ( more than 32characters) without enabling the system vlan long- name command.switch# configure terminalswitch(config)# vlan 2switch(config-vlan)# name 33Char1234567890987CiscoBangalore!ERROR: Long VLAN name is not enabled: Vlan name greater than 32 is not allowed!Switch(config-vlan)# exit

Configuring VLAN Translation on a Trunk PortYou can configure VLAN translation between the ingress VLAN and a local VLAN on a port. The trafficarriving on the ingress VLAN maps to the local VLAN at the ingress of the trunk port and the traffic that isinternally tagged with the translated VLAN ID is mapped back to the original VLAN ID before leaving theswitch port.

Before you begin

• Ensure that the physical or port channel on which you want to implement VLAN translation is configuredas a Layer 2 trunk port.


Configuring VLANsConfiguring VLAN Translation on a Trunk Port

• Ensure that the translated VLANs are created on the switch and are also added to the Layer 2 trunk portstrunk-allowed VLAN vlan-list.

• For FEX port-channel trunk interfaces, the last VLAN in the allowed VLAN list must be associated witha translated VLAN in one of the VLAN maps configured on the FEX fabric interface.

Procedure


Enters global configuration mode.switch# configure terminalStep 1

Enters interface configuration mode.switch(config)# interface type portStep 2

Enables VLAN translation on the switch portafter VLAN translation is explicitly disabled.VLAN transl